cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
875
Views
0
Helpful
10
Replies

ASA - Translate Destination IP only?

cpalmerloopt
Level 1
Level 1

Hello All,

I have a public IP and port (1.1.1.1:80) that is translated to a private IP:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

The ACL applied inbound on the outside interface permits any hosts to 1.1.1.1:80.

My question is can I policy translate the destination IP:port from outside clients that match specified subnets? (ie: hosts coming from 2.2.2.0/8 to 1.1.1.1:80 are translated to 1.1.1.2:81) ?

(and any necessary static and ACL additions would be performed).

Thanks,

Christopher

1 Accepted Solution

Accepted Solutions

After reading, trying and remembering, the answer is:

NO, you can't map a ip:port to two different ip:port destinations

If you can't change the destination ip:port, maybe can do a dns trick or somthing like that.

View solution in original post

10 Replies 10

darkbeatzz
Level 1
Level 1

I dont understand why you would want to do this if both public IPs are in the same range?

if they are then just have a static nat to 1.1.1.2:81 and limit access to it with an acl?

Basically, the public IP is advertised in DNS, and could be hard-coded in an application. However, depending on the client source IP, they may need to be serviced by a different backend server.

BrinksArgentina
Level 1
Level 1

I don't understand.

Do you need that clients from 2.2.2.0 be mapped to 192.168.1.1 and clients from 3.3.3.0 mapped to 192.168.1.22 for example?

Yes, that's basically it. Both sets of clients would attempt to connect to 1.1.1.1:80 (for example), but their true destination IP:port would be decided based on their source IP. Does that help clarify?

I am preparing the lab, if the phone doesn't ring, I will tell you my results in a few hours.

After reading, trying and remembering, the answer is:

NO, you can't map a ip:port to two different ip:port destinations

If you can't change the destination ip:port, maybe can do a dns trick or somthing like that.

Thanks. I did some basic reading/trying and couldn't see it happening, but it was an odd case and you never know...

This kind of policy nat and balanced internet connection are two of the most important ASA missing features.

Thanks 4 rating

the solution to your problem is to use checkpoint :-)

Oh OK :)

We could perform this stuff post-ASA (ie: on an F5 BIG-IP), but that equipment isn't in place at the moment. I was hoping that the ASA a couple more features than the thousands it already possessed!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: